Path App Uploads Your Entire Address Book To Its Servers (UPDATE)
UPDATE: A Path spokesperson told The Huffington Post via email that Path version 2.0.6 for iOS has hit the iTune App Store. The update will let users choose whether or not they want the app to pull all the contacts from their devices. As before, the current version of the Android app continues to allow users to opt in or out.
Path co-founder and CEO Dave Morin also posted an apology on the company's official Tumblr blog and notified users that the cache of stored contacts had been deleted.
"We believe you should have control when it comes to sharing your personal information. We also believe that actions speak louder than words," wrote Morin. "So, as a clear signal of our commitment to your privacy, we’ve deleted the entire collection of user uploaded contact information from our servers. Your trust matters to us and we want you to feel completely in control of your information on Path."
PREVIOUSLY: Singapore-based developer Arun Thampi announced recently that he had discovered something worrisome about Path, a smartphone application. According to a post on Thampi's mclov.in blog, without his knowledge Path had uploaded the names, addresses and emails of the contacts in his iPhone to its servers.
While Thampi said he was disturbed by his finding, he didn't accuse Path of acting maliciously. He writes in a disclaimer in the post, "I'm not insinuating that Path is doing something nefarious with my address book but I feel quite violated that my address book is being held remotely on a third-party service."
Path is a smartphone-based social network that has been around since 2010. It's described on Gizmodo as feeling "intimate," partly because users are only allowed to have 150 friends and partly because of the nature of the interface which has the unique characteristic of allowing users to see who looks at their posts. Instead of being alienating, Mat Honan at Gizmodo writes, "This one queer action -- showing who is paying attention to you—has the odd effect of making the space feel like a safe environment to share things. It's like making eye contact, but time shifted."
While ReadWriteWeb suggests that we should expect to pay for free apps with personal information ("Free apps are expensive[..] we pay with our data"), others did not agree. In less than 24 hours Thampi's post garnered almost 4,000 tweets and hundreds of angry comments. In an attempt to explain the company's actions, Path CEO Dave Morin weighed in on the mclov.in blog.
The Path CEO attempted to explain Path's actions by saying that the contacts were uploaded to make it easier for users to find friends on the network. Morin also said that the company would be making the contact upload "opt-in" with the next iOS update. Morin wrote:
We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
Morin also pointed out that the Android version of the app has already been opt-in for several weeks. Although according to The Verge, it's not so much "opt-in" as "this is what you will do":
"Looking at the Android app, it does warn you that the app will pull contact information, although you still can't install without giving Path carte blanche to use the address book."
PC World disagrees with the assertion that Android users are told about the contact pull. Ian Paul writes, "[I]n my tests it was never made clear that your contacts were leaving your phone."
Although Path was quick to respond to the discovery, some users were left with questions. In a comment on Thampi's blog post, Matt Gemmell asks Morin why Path chose not to upload the contact info as a hash.According to PC World, a hash turns plain text into a unique string of numbers or letters so that information can be stored and used without being personally identifiable.
Morin responded by writing, "This is a good alternative solution which we'll look into. Thanks for the idea."
In response to another question as to why the contact upload wasn't opt-in from the beginning, Morin writes, "Currently the industry best practices and the App Store guidelines do not specifically discuss contact information"
However, according to Apple Bitch, the App Store guidelines seem to refute the Path CEO's claim. Guideline 17.1 states, an app "cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used." Guideline 17.2 states, "Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected."
Following commenter David Smith's raising of this point on Thampi's blog, there was no further response from Path.
Users who want their contacts or other data removed from Path's service before the roll-out of the upgrade should email firstname.lastname@example.org.